[Bro] Bro questions from a rookie

[Alex Hope]

Hi! I'm a rookie Bro developer doing an internship. My first task requires
me to work with Bro to tidy up how we use Bro to monitor network traffic.
I'm trying to use the new_connection event to act as a catch-all for all
traffic that doesn't fall into more specific categories. I have three
questions:

1. If there is a DNS connection, how do I access that part of the record?
If c is the connection, do I simply use
  c$dns$query
and call it a day? So far that hasn't worked for me.

2. In the event that I can't just use new_connection for everything and
then filter my reporting from there, is there a generic "dns_reply" type of
event or do I need to use dns_A_reply and dns_AAAA_reply and so on for all
DNS replies?

3. If I end up running with the various DNS reply events *and* the
new_connection event in order to capture "everything else," is there a
built-in way to only execute one event response when multiple events are
triggered? For example, if I get a DNS A reply, that'll trigger the
dns_A_reply event as well as the new_connection event. I'd like to only
handle that traffic in the dns_A_reply event and not bother executing the
new_connection event. Short of setting up some sort of global "Has already
been handled" flag, is there a built-in way to run an event ONLY IF no
other events were triggered?

Thanks,

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/eb8fbf10/attachment.html